2 * hostapd / EAP Full Authenticator state machine (RFC 4137)
3 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "common/defs.h"
13 #include "utils/list.h"
14 #include "eap_common/eap_defs.h"
15 #include "eap_server/eap_methods.h"
20 #define EAP_TTLS_AUTH_PAP 1
21 #define EAP_TTLS_AUTH_CHAP 2
22 #define EAP_TTLS_AUTH_MSCHAP 4
23 #define EAP_TTLS_AUTH_MSCHAPV2 8
29 } methods
[EAP_MAX_METHODS
];
32 int password_hash
; /* whether password is hashed with
33 * nt_password_hash() */
38 unsigned int remediation
:1;
39 unsigned int macacl
:1;
40 int ttls_auth
; /* bitfield of
41 * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
42 struct hostapd_radius_attr
*accept_attr
;
46 struct eap_eapol_interface
{
47 /* Lower layer to full authenticator variables */
48 Boolean eapResp
; /* shared with EAPOL Backend Authentication */
49 struct wpabuf
*eapRespData
;
52 Boolean eapRestart
; /* shared with EAPOL Authenticator PAE */
56 /* Full authenticator to lower layer variables */
57 Boolean eapReq
; /* shared with EAPOL Backend Authentication */
58 Boolean eapNoReq
; /* shared with EAPOL Backend Authentication */
62 struct wpabuf
*eapReqData
;
66 size_t eapSessionIdLen
;
67 Boolean eapKeyAvailable
; /* called keyAvailable in IEEE 802.1X-2004 */
69 /* AAA interface to full authenticator variables */
74 struct wpabuf
*aaaEapReqData
;
76 size_t aaaEapKeyDataLen
;
77 Boolean aaaEapKeyAvailable
;
80 /* Full authenticator to AAA interface variables */
82 struct wpabuf
*aaaEapRespData
;
83 /* aaaIdentity -> eap_get_identity() */
87 struct eap_server_erp_key
{
91 u8 rRK
[ERP_MAX_KEY_LEN
];
92 u8 rIK
[ERP_MAX_KEY_LEN
];
98 struct eapol_callbacks
{
99 int (*get_eap_user
)(void *ctx
, const u8
*identity
, size_t identity_len
,
100 int phase2
, struct eap_user
*user
);
101 const char * (*get_eap_req_id_text
)(void *ctx
, size_t *len
);
102 void (*log_msg
)(void *ctx
, const char *msg
);
103 int (*get_erp_send_reauth_start
)(void *ctx
);
104 const char * (*get_erp_domain
)(void *ctx
);
105 struct eap_server_erp_key
* (*erp_get_key
)(void *ctx
,
106 const char *keyname
);
107 int (*erp_add_key
)(void *ctx
, struct eap_server_erp_key
*erp
);
112 * ssl_ctx - TLS context
114 * This is passed to the EAP server implementation as a callback
115 * context for TLS operations.
121 * eap_sim_db_priv - EAP-SIM/AKA database context
123 * This is passed to the EAP-SIM/AKA server implementation as a
126 void *eap_sim_db_priv
;
127 Boolean backend_auth
;
131 * pwd_group - The D-H group assigned for EAP-pwd
133 * If EAP-pwd is not used it can be set to zero.
138 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
140 * This parameter is used to set a key for EAP-FAST to encrypt the
141 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
142 * set, must point to a 16-octet key.
144 u8
*pac_opaque_encr_key
;
147 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
149 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
150 * is a variable length field, but due to some existing implementations
151 * requiring A-ID to be 16 octets in length, it is recommended to use
152 * that length for the field to provide interoperability with deployed
153 * peer implementations.
158 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
160 size_t eap_fast_a_id_len
;
162 * eap_fast_a_id_info - EAP-FAST authority identifier information
164 * This A-ID-Info contains a user-friendly name for the A-ID. For
165 * example, this could be the enterprise and server names in
166 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
167 * is not used, this can be set to %NULL.
169 char *eap_fast_a_id_info
;
172 * eap_fast_prov - EAP-FAST provisioning modes
174 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
175 * 2 = only authenticated provisioning allowed, 3 = both provisioning
179 NO_PROV
, ANON_PROV
, AUTH_PROV
, BOTH_PROV
183 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
185 * This is the hard limit on how long a provisioned PAC-Key can be
188 int pac_key_lifetime
;
191 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
193 * This is a soft limit on the PAC-Key. The server will automatically
194 * generate a new PAC-Key when this number of seconds (or fewer) of the
197 int pac_key_refresh_time
;
199 int eap_teap_pac_no_inner
;
200 int eap_teap_separate_result
;
202 EAP_TEAP_ID_ALLOW_ANY
= 0,
203 EAP_TEAP_ID_REQUIRE_USER
= 1,
204 EAP_TEAP_ID_REQUIRE_MACHINE
= 2,
205 EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE
= 3,
206 EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER
= 4,
207 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE
= 5,
211 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
213 * This controls whether the protected success/failure indication
214 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
216 int eap_sim_aka_result_ind
;
220 * tnc - Trusted Network Connect (TNC)
222 * This controls whether TNC is enabled and will be required before the
223 * peer is allowed to connect. Note: This is only used with EAP-TTLS
224 * and EAP-FAST. If any other EAP method is enabled, the peer will be
225 * allowed to connect without TNC.
230 * wps - Wi-Fi Protected Setup context
232 * If WPS is used with an external RADIUS server (which is quite
233 * unlikely configuration), this is used to provide a pointer to WPS
234 * context data. Normally, this can be set to %NULL.
236 struct wps_context
*wps
;
242 * server_id - Server identity
245 size_t server_id_len
;
248 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
250 * This controls whether the authentication server derives ERP key
251 * hierarchy (rRK and rIK) from full EAP authentication and allows
252 * these keys to be used to perform ERP to derive rMSK instead of full
253 * EAP authentication to derive MSK.
256 unsigned int tls_session_lifetime
;
257 unsigned int tls_flags
;
259 unsigned int max_auth_rounds
;
260 unsigned int max_auth_rounds_short
;
263 struct eap_session_data
{
264 const struct wpabuf
*assoc_wps_ie
;
265 const struct wpabuf
*assoc_p2p_ie
;
267 #ifdef CONFIG_TESTING_OPTIONS
269 #endif /* CONFIG_TESTING_OPTIONS */
273 struct eap_sm
* eap_server_sm_init(void *eapol_ctx
,
274 const struct eapol_callbacks
*eapol_cb
,
275 const struct eap_config
*conf
,
276 const struct eap_session_data
*sess
);
277 void eap_server_sm_deinit(struct eap_sm
*sm
);
278 int eap_server_sm_step(struct eap_sm
*sm
);
279 void eap_sm_notify_cached(struct eap_sm
*sm
);
280 void eap_sm_pending_cb(struct eap_sm
*sm
);
281 int eap_sm_method_pending(struct eap_sm
*sm
);
282 const u8
* eap_get_identity(struct eap_sm
*sm
, size_t *len
);
283 const char * eap_get_serial_num(struct eap_sm
*sm
);
284 const char * eap_get_method(struct eap_sm
*sm
);
285 const char * eap_get_imsi(struct eap_sm
*sm
);
286 struct eap_eapol_interface
* eap_get_interface(struct eap_sm
*sm
);
287 void eap_server_clear_identity(struct eap_sm
*sm
);
288 void eap_server_mschap_rx_callback(struct eap_sm
*sm
, const char *source
,
289 const u8
*username
, size_t username_len
,
290 const u8
*challenge
, const u8
*response
);
291 void eap_erp_update_identity(struct eap_sm
*sm
, const u8
*eap
, size_t len
);
292 void eap_user_free(struct eap_user
*user
);
293 void eap_server_config_free(struct eap_config
*cfg
);